Privacy Policy

Last updated: May 2026 · Flo Financial Technology · flo-hk.com

1. Who we are

Flo Financial Technology ("Flo", "we", "us") operates the financial management application at flo-hk.com. We are registered in Hong Kong. Contact: hello@flo-hk.com

2. What data we collect

• Account data: email address, name, company name
• Financial data: invoices you create, expenses you log, income figures, tax reserve settings
• Usage data: pages visited, features used, login timestamps
• Payment data: handled entirely by Airwallex — we do not store card numbers
• Receipt images: uploaded photos stored securely in Cloudflare R2

3. How we use your data

• To provide the Flo service: invoicing, expense tracking, tax reserve calculation
• To send transactional emails: invoices, payment reminders, weekly digest
• To improve the product: aggregated, anonymised usage analytics only
• To comply with legal obligations under Hong Kong law

We do not sell your data. We do not use your financial data to train AI models. We do not share your data with advertisers.

4. AI features and financial estimates

5. Data storage and security

• Database: Cloudflare D1 (SQLite), stored at Cloudflare's Hong Kong edge nodes
• Authentication: Supabase Auth, hosted in Singapore (Southeast Asia region)
• File storage: Cloudflare R2, globally distributed
• Encryption: TLS 1.3 in transit, AES-256 at rest
• Access control: Row-level security — you can only access your own data

6. Cross-border data transfer

Your data is processed by Supabase (Singapore) for authentication and Cloudflare (global edge, including Hong Kong) for the application database and file storage. Both are contractually bound to protect your data. By using Flo, you consent to this transfer.

7. Data retention

• Financial records (invoices, expenses, tax data): retained for 7 years from the date of creation, as required by the Hong Kong Inland Revenue Department
• Account data: retained while your account is active
• After account deletion: all personal data removed within 30 days, except records required by law

8. Your rights under PDPO

Under Hong Kong's Personal Data (Privacy) Ordinance, you have the right to:

• Access your personal data (we will provide it within 40 days of written request)
• Correct inaccurate data
• Delete your account and all associated data (within 30 days)
• Export your data in JSON format at any time via Settings → Export data
• Opt out of non-essential email communications

To exercise these rights, email hello@flo-hk.com with the subject "Data Request".

9. Data breach notification

In the event of a data breach affecting your personal data, we will notify you by email within 72 hours of becoming aware of the breach. If 100 or more users are affected, we will also notify the Office of the Privacy Commissioner for Personal Data Hong Kong.

10. Third-party services

• Airwallex — payment processing. Subject to Airwallex's Privacy Policy
• Resend — transactional email delivery. Email content only, no financial data
• Supabase — authentication. Email address only
• Cloudflare — hosting, database, CDN. Subject to Cloudflare's Privacy Policy
• Anthropic Claude API — AI features. Prompts include your financial context but no personally identifiable information beyond what is necessary

11. Cookies

Flo uses only functional cookies necessary for authentication (session management). We do not use tracking cookies or advertising cookies.

12. Changes to this policy

We will notify you by email of any material changes to this Privacy Policy at least 14 days before they take effect.

13. Contact

For any privacy-related questions or requests: hello@flo-hk.com

Office of the Privacy Commissioner for Personal Data Hong Kong: www.pcpd.org.hk